The poor old corporate endpoint has had a bit of a battering in the last few years. Malware is more widespread and complex than ever and it is easy to get infected simply by visiting legitimate sites that have been hacked. Now that the internet has become such a dangerous neighbourhood, are malware blacklists enough to keep the …
Companies have implicit whitelists
Since this is about corporate behaviour, not home users, the whole thing about users downloading stuff onto the company's machines should be moot. Users simply shouldn't be installing anything and anything that does get installed should come by way of the IT dept (isn't that one of their primary functions? or am I being old-fashioned?) and be on their list of approved applications and be sourced from themselves and ONLY from them.
So for companies, they already have a list of apps they are happy for users to use. Ones they can support, that they know will play nice with the other apps and that have been properly acquired through a legal channel.
Again, we're not talking about home users here so "drive-by download sites" simply should not be an issue (and aren't that hard for the compliance people to spot - you DO scan machines for unlicensed softs, don't you?). So I'd expect that any company that is doing their IT even half-right already operates a white-list, although they probably don't call it that. Not after the political officer has had a word, anyway.
An approved app is not the same as a white listed module
An approved application is not the same thing as having approved modules of code.
White listed code means restricting users to specific approved versions of modules, scripts, etc. that have specific hash keys.
For example, not FireFox 6 but FireFox 6.0.2 with only approved versions of approved plug-ins.
Properly it also means enforcing the restriction on all computers connected to the internal network, including those in tech support and programming.
Properly, development and testing computers would have to be on their own networks, with the corporate networked firewalled against them.
"Users simply shouldn't be installing anything". Says who? You?
IT is a customer service function whose primary role is to provide solutions to their users, not to tell them "no you can't, what's the question?".
What IT actually provide should be requirements driven solutions to their (internal) customers' business problems.
In "Lean thinking" terms (see http://en.wikipedia.org/wiki/Lean_IT), if an IT service is not contributing value to a business service, it is a source of waste, and should be eliminated.
Unfortunately, many IT departments think they are an end in themselves, rather than a means to an end.
Re: @Pete 2
Mate, you've got serious management potential.
I do not necessarily disagree with what I think you're saying, but it sounds like you've swallowed The MBA's Dictionary of Essential Buzzwords, 3rd ed.
If the business has agreed that IT's function includes keeping the network free of viruses and malware, and usually also that this must cost next to nothing, then most likely yes, he does say.
Customers often don't realise the implications of what they're asking. Clarifying and correcting this perception may be IT's job but very often they have no say in the matter.
If someone burglars your house because you left the door open, this is not the locksmith's fault. If you left the door open because the lock is too difficult to operate, it's probably still not the locksmith's fault that you or maybe the architect insisted on having that type of lock.
If you work in a secure and controlled environment, then whitelisting can make very good sense. But achieving and maintaining that level of control is not for everyone, and can cause a massive amount of work and frustration for users.
Fuck the users, what about reducing sysadmins' frustrations?
What about Apple? Openly publishing exploits pushing us to WLists.
The thing is, this is not such a new idea. It is not significantly more restrictive than what Apple does. And it works for them and their customers are very happy with it.
I'm no fan of Apple, but white-listing is obviously where we are being pushed by blackhat hackers, and by the security consultants who publish exploits openly for blackhats to read.
Up to a point
Having worked in a development environment where the sysadmin had locked down all the machines very well (can't fault his security), it was very time-consuming for the development team who needed very non-standard machine set-ups (FPGA tools and various other bits of design software aren't part of a common roll-out that includes the non-technical personnel) when we'd have to justify each bit of software on a per-machine basis with someone who didn't always respond quickly. We lost hours of productivity due to lack of tools, so there's definitely a middle ground.
I can fully appreciate locking down machines used by people who are likely to click on the link in the dodgy email, but others do have a legitimate need to install other software and are mostly clued-up enough to be careful about it. When your whitelist defines what will even run, that wrecks it for most people writing software because they won't be able to run their own programs.
That's really a different issue. Any sysadmin who has one model only isn't worth paying.
Many operations will require various environments including development, public facing and secure. Insisting that all these environments operate to the same standards is actually creating a security problem. Get an undocumented workaround to enable some dev work and your sysadmin's 'faultless' security is wothless. What you can't fault is your sysadmins CYA ability.
Whitelisting And the Principle of Least Privilege
..are actually closely related. More specifically, Whitelists are an instance of a Least Privilege technique.
In my opinion the most important Whitelisting should be done in the perimeter firewall. Corporate users do not have legitimate business on porn, "software download" and gambling sites, for example. Of course, the whitelist must be dynamically expanded and maintained, which does not come for free, but it will be a major contributor to a healthy network.
For sensitive environments such as R&D and finance, it could even be argued that private email services such as Google Mail should be banned - at least the encrypted version (SSL). Otherwise a piece of malware could exfiltrate literally gigabytes of trade secrets, design blueprints, FPGA or ASIC designs etc.
In addition to maintaining the whitelist it is very enlightening to a corporate security department to regularly review which sites have been denied. Many virus infections can be easily identified simply by monitoring the virus while it attempts to connect to its controller server.
That also costs money on the short run, but protects the very existence of a company on the long run.
I use SRP
My approach to whitelisting on Windows boxes is to use Software Restriction Policy. Set it to "disallowed by default" and apply it to non-Admins, and the net result is that the users (being non-Admins) can use what the Admin installed, but can't execute anything else. Trojans, exploit payloads, AutoPlay attacks, all go right out the window.
There are some gotchas; for example, Adobe Reader's auto-update mechanism errors out unless a custom hash rule or path rule allows its update file to be executed from its non-approved path (which could be done via GPO if necessary). The LNK filetype must be allowed or desktop links break. Elevating stuff to run as Administrator with a right-click will allow the Admin to do most stuff from the non-Admin's account, but .MSI and .MSP files must be launched from a command prompt since their right-click doesn't have a run-as-Admin option. Another gotcha is that the Home versions of XP/7/Vista don't have a Local Group Policy and therefore don't have the SRP option.
Overall, for the game-changing improvement in security, these are prices I can afford to pay in our small-time operation. No additional licensing, updates, approximately zero performance impact, and difficult-to-impossible for the average user to bypass or disable.
White list a good idea, easily added to existing tools
Existing anti-virus and OS installation monitoring tools could be updated to consult white lists.
Anything not whitelisted could be automatically sent off and made available to accredited AV companies.
Apple proves even most rigid white listing acceptable to home users
Apple has proven that even the most rigid white listing procedures are acceptable to most home users.
In general, home users seem perfectly happy to have the OS vendor control the coding techniques and charge a licensing fee, provided it means their computers will operate trouble free.
In general Apple fans seem perfectly happy with the requirement that running unapproved code means buying a second machine made by a different company perfectly acceptable.
Rather than home users being the issue, it is commercial companies with their own custom code that would require special accommodation.
@mechBgon: I use SRP #
Providing you are restricting by hash (or certificate (if you trust the certificate won't be stolen or borrowed), I think that is a good idea.
Restricting by path or zone won't work since an administrator could easily approve or install trojan infected approved software by mistake, and if an admin didn't, then an admin ID could.
That would mean turning off automatic updating and manually approving the updated and updating modules, or being sure to go around to all the computers and manually update them using an admin ID -- even at the busiest time of year.
You'd still have to be certain to keep your software up to date since I have no doubt some security researcher somewhere would find a way to subvert SRP, and then publish it openly to the blackhat hacker community. So defence in depth still must be maintained.
So SRP is something that organizations can do now, as opposed to waiting for the AV companies or MS to take further action.
Of course it won't work with developers or your external software test machines, but if your company doesn't develop code that doesn't matter.
@ Keith T re: SRP
You noted that "Restricting by path or zone won't work since an administrator could easily approve or install trojan infected approved software by mistake, and if an admin didn't, then an admin ID could." This is technically true, but if you refer to the 10 Immutable Laws Of Computer Security, laws #1 and #6 apply. If the Admin rights are in the hands of untrustworthy users, then the game is over regardless.
So I personally use the Catch-22 of path rules: only allow non-Admins to execute from the Windows and Program Files directories, where they cannot put new files (malicious or otherwise). They (or exploits acting on their behalf) cannot save trojans to locations they can execute them from, unless a privilege escalation to Admin or System privileges is part of the plot. So your average user stumbling into poisoned search results, or being bullied into executing a fake "Flash Player update," is protected by a very strong safety net that doesn't depend on signature updates or even heuristics. Arbitrary, simple, elegant, and paid for.
A layered defense is always best, but this is a very potent last line of defense, and one I'm not sure is given much recognition.
How about using a real OS instead of an extended Desktop with some OS abilities?
ie. Something properly designed so viruses are out of the picture?
Eg. Use Ubuntu 11 - it runs on everything and has fantastic hardware support.
Oh yeah, and its a Unix with a proper security model so it doesn't get viruses.
Unlike that Desktop with OS bits I hear that some people use (US forces drone pilots for example - the next sept.11 wont be terrorists it will be a drone trying to sell someone something).
Spoken like a true Mac fanboi.
Seriously? Are we still at the point where a tiny market share that by definition has no interest to virus writers is equal to "virus proof"?
Security through obscurity is not the same as obscurity through security.
So for how many minutes would this work before this hypothetical master whitelist gets hacked, subverted or spoofed? :)
Sure https and public keys and a database of sha512 hashes in Fort Knox with full paranoia enabled and an active team of researchers, evaluators may help, but I think it would be simpler for IT departments to do a full audit of their users business needs and software sources, use a properly configured proxy together with an in and outgoing firewall for only approved addresses.
Yes, I know, it's a major pain and requires someone to actually do some work.
In short, criminals are still running rings around business and users, unless everyone could become an IT expert, whereupon there wouldn't be any space left in their brains to do the jobs that they are supposed to be employed far!
IT and personaly security should be taught from birth, or at least built into schools' curricula as a really important life skill. QED.